[Date Prev][Date Next] [Chronological] [Thread] [Top]

multiple admins and access rights

To: openldap-software@OpenLDAP.org
Subject: multiple admins and access rights
From: Kai Martius <kai@secunet.de>
Date: Fri, 14 Apr 2000 12:26:00 +0200
Organization: Secunet AG

Hello,

First, thanks to the developers for the great job done with OpenLDAP!

Here's my question:
Is it possible within the current access control model to have something
like "shared administration", that is, I want to grant the right to
create new entries with a specific set of attributes to Admin1. Admin2
should be able to modify these entries by adding / modifying other
attributes, but neither to modify the entries written by Admin1 nor to
delete the entry itself. I tried it with the following access rules
(that didn't work :-( ). 

Admin2 should have the right to add / modify a postaladdress, but
nothing else. Admin1 therefore should be able to create the entry and
write cn, ou, o and c attributes:

defaultaccess   read
access  	to   * attrs=dn,cn,ou,o,c
                     by dn="cn=Admin1,o=myorg,c=de"		write
                     by *                                       read   

access          to * attr=postaladdress
                     by dn="cn=Admin2,o=myorg,c=de"		write
        	     by *                                       read

Did I miss something important here?

Thanks for help,
Kai

begin:vcard 
n:Martius;Kai
tel;fax:++49-351-4 39 59 59
tel;work:++49-351-4 39 59 20
x-mozilla-html:FALSE
org:secunet security networks AG;Dresden
adr:;;Ammonstr. 72;Dresden;;01067;Germany
version:2.1
email;internet:kai@secunet.de
title:Dr.-Ing.
x-mozilla-cpt:;-25344
fn:Kai Martius
end:vcard

Follow-Ups:
- Re: multiple admins and access rights
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: switching to LDAP
Next by Date: netscape address book to openldap: need a guide dog !
Index(es):
- Chronological
- Thread